Nokia Lumia Windows Phone 8 Security.pdf

1 Nokia Lumia Windows Phone 8 security│ v3.0 | © 2013 Nokia

Nokia Lumia Windows Phone 8 security


Nokia Lumia Windows Phone 8 security

Nokia Expert Centre Nokia Lumia WP8 training


INTRODUCTION TO NOKIA LUMIA WP8 IN THE ENTERPRISE

USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT EXCHANGE

MOBILE DEVICE MANAGEMENT FOR NOKIA LUMIA WP8 PHONES

COMPANY APPS FOR NOKIA LUMIA WP8 PHONES

NOKIA LUMIA WP8 PHONE SECURITY

USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT LYNC

USING NOKIA LUMIA WP8 PHONES WITH MICROSOFT SHAREPOINT

• Overview knowledge of Nokia WP8 phone features

• Knowledge of common security concepts

• Admin skills on Windows Server 2008 R2

Prerequisites


Objectives • Describe the Secure Boot architecture and app platform

security features

• Describe phone security features configurable through Mobile Device Management (MDM) policy

• Manage certificates on the phone

• Describe intranet service access through SSL VPN

Learning time

minutes

60

Security threats addressed with WP8


Trusted boot

Platform security

No browser plug-in support

Store app certification

Lock screen password

ActiveSync & MDM policies

Remote wipe

Device encryption

Information Rights Management

Connection security

Data leakage Malicious software

Contents


Security features configurable through policy

Connection security and certificates

Trusted Boot and platform security


Objectives

• Describe the Secure Boot architecture and app platform security features

Trusted Boot and platform security

Learning time 20 minutes

Chain of trust


Only trusted pre-OS firmware code can execute

The firmware only boots a trusted WP8 OS image

WP8 OS allows only trusted and signed apps to run

Apps can only access phone features they require

Trusted boot


HARDWARE ONLY LOADS UNMODIFIED

WP8 OS

User knows they are working with genuine

Microsoft WP8 OS

OK

Not loaded Modified WP8 OS

Unmodified WP8 OS

Other OS

Disabling of security controls in WP8

PREVENTS ATTACKS

Malicious OS that looks like WP8

Trusted Boot parts


WINDOWS PHONE 8 OS

UEFI 2.3.1 FIRMWARE

CHIPSET

OS loader

OS

Keys and settings

UEFI specifications

One-time writable info

Digitally signed

Digitally signed drivers

http://www.uefi.org/specifications

http://www.uefi.org/specifications/

Chambered security model


Each app runs in its own

chamber

Chambers are isolated from each other

SD

Camera

SD card

Sensors

Each chamber has access to specific phone

capabilities

No difference between C# and C++ code!

Chamber model security benefits


Attack surface reduction

1

User consent and control

3

App isolation

2

SD

Kernel, drivers

WP7 and WP8 chambers


Least Privilege Chamber

Standard Rights Chamber

Elevated Rights Chamber

Trusted Computing Base

OS components, drivers

Pre-installed Microsoft apps

All apps from Marketplace

OS components, most drivers,

all apps

Least Privilege Chamber

Kernel, drivers

Trusted Computing Base

MORE SECURE

App development and publishing


WP8 Store

Developer specifies required capabilities in a manifest file

Manifest file used in app certification process

App manifest

Publish app

App deployment


WP8 Store

Download app

Access to only the required capabilities

User sees required capabilities in app details page in Store

Phone creates a new chamber for the app

App manifest

Complete list of supported capabilities

http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206936(v=vs.105).aspx

http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206936(v=vs.105).aspx

App checks and signing


WP8 Store

MDM server

.xap

.xap

.xap

Store signed

Enterprise signed

Developer unlocked only

Code checks

Code checks

Windows Phone Store Test Kit

Store requirements

http://msdn.microsoft.com/en-us/library/windowsphone/develop/hh394032(v=vs.105).aspx

http://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx

Phone updates


All updates signed and

distributed by Microsoft

User can postpone - no way to force

updates

Use MDM to track inventory

Key learning points


• WP8 uses secure boot to validate all pre-OS components

• Digital signatures are used to verify that no untrusted code runs before the OS is loaded

• WP8 OS allows apps to run only in their own isolated chambers

• Each chamber is granted access to only the specific capabilities the app requires to function

• Users are in control of updating their WP8 phone


Objectives

• Describe phone security features configurable through Mobile Device Management (MDM) policy

Security features configurable through policy


Managing WP8 security through policy


DeviceLock CSP

Registry CSP

MDM SERVER

Storage CSP

Access control

Password

Encryption

Disable / enable memory card

Wipe device RemoteWipe CSP

EAS

Access control Password Encryption Wipe device

EXCHANGE

Access control


DevicePasswordEnabled

FALSE TRUE

MaxInactivityTimeDeviceLock

1 999 ... FALSE (minutes)

Password complexity


qwerty

1111

12345 TRUE

FALSE

password

4 18 ...

AllowSimpleDevicePassword

MinDevicePasswordLength

AlphanumericDevicePasswordRequired

MinDevicePasswordComplexCharacter

P4?d

.!?

abc

ABC

123

P277w6rd TRUE

FALSE

1 4 ...

DevicePasswordExpiration

1 730 ...

Password rotation


raspberry

strawberry

blueberry

raspberry

(days) FALSE

DevicePasswordHistory

0 50 ...

Device encryption (HW accelerated)


Encryption/ decryption

“BITLOCKER” TECHNOLOGY

Decrypted content

Keys protected by platform

security

No management

No PIN

Apps USB MTP

Storage

USB MTP AND SYNC APPS

SD card

AES-128 Not readable outside the OS

WINDOWS PHONE 8 OS

To disable, reset phone

Encryption enabled

Not available in all countries

Enabling device encryption


MDM server

Registry CSP

RequireDeviceEncryption

EAS

Exchange

DeviceEncryption

Device wipe options


RemoteWipe CSP

Exchange Admin tools

Windowsphone.com

Outlook Web App

Office 365 OWA User

EAS Policy

OS

Office 365 Admin tools

Windows Intune

Failed attempts Phone reset

Admin SCCM SP1

Third-party MDM

Cloud

On-premise

Failed attempts


MaxDevicePasswordFailedAttempts

1 999 ... FALSE

* n-1

unlo

ck

wip

e

Enabling IRM functionality


EAS

Exchange

IRMEnabled

Not supported through full MDM

MDM

SD card control


Full MDM Server

Disable memory card

Storage CSP

Exchange

Not supported through EAS

Key learning points


• Access control policies set a password and automatic lock

• Password complexity and rotation policies prevent passwords that are easy to guess

• Device encryption can be only turned on

• There is one more attempt before phone is wiped after failed attempts

• SD can only be disabled through full MDM policy, IRM can only be enabled through EAS policy


Objectives

• Manage certificates on the phone

• Set up client certificate authentication

• Describe intranet service access through SSL VPN

Connection security and certificates


Browsing the web on WP8


Microsoft server 2 Check URL against list of

unsafe web pages

1 Check URL in local whitelist

Check result: Unsafe

Periodic anonymous reporting

3

SMART SCREEN FILTER No plug-ins are

supported

Isolated chamber

WP8 Virtual Private Network (VPN) options


INTERNET

CORPORATE INTRANET

IPSec VPN

IPSec VPN gateway

HTTP-based services

MOBILE OPERATOR NETWORK

Custom APN Cellular

data

Cellular/Wi-Fi

SSL-VPN GATEWAY

SSL/TLS Basic Authentication Direct IPSec VPN

not supported

SSL-VPN guide

https://expertcentre.nokia.com/en/downloads/docs/Pages/SSL-VPN-guide-for-Nokia-Lumia-phones.aspx



SSL server authentication


Web server

Intermediate CA

One-time warning

GET www.ylearning.net

SSL Server Hello

CA=CA2 CN=www.ylearning.net

CA=CA1 CN=CA2

Root CA

CA1

CA1 CA2

INSTALL SERVER AND INTERMEDIATE CERTS

INSTALL CA ROOT CERT

PREINSTALLED ROOT CERTIFICATES

http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx



Client certificate authentication


GET www.ylearning.net

SSL client response

CA=CA2 [email protected] EKU=Client Authentication (1.3.6.1.5.5.7.3.2)

MAP CERT TO USER

Tom

PHONE SENDS CERTIFICATE IN

CLIENT RESPONSE

SSL Server Hello (server cert)

CERT PROVES USER IDENTITY

Tom

Client certificates are currently supported only by EAS in WP8

NOTE!

CONFIGURING CERTIFICATE AUTHENTICATION FOR EAS

http://technet.microsoft.com/en-us/library/jj151786.aspx

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx

Installing certificates


Web server

SUPPORTED FORMATS

.cer

.p7b

.pem

.pfx

EMAIL ATTACHMENT

Check MIME type

INTERNET EXPLORER

Password protection

No certificate management UI

To remove, reset phone

MDM server

PUSH CERTIFICATE

Key learning points


• IE10 Smart Screen filter prevents access to sites impersonating as known websites

• WP8 phones can connect to intranet services through a SSL-VPN gateway

• IE10 warns the user about websites with untrusted server certificate

• EAS connections can use SSL client certificate authentication


Summary

Summary of Nokia Lumia WP8 security


• WP8 platform security establishes a chain of trust from hardware to Store apps

• A Nokia Lumia WP8 phone does not start if the OS has been modified or replaced

• WP8 apps run in isolated chambers with only the needed capabilities

• Most WP8 security features can be managed through both EAS and full MDM

• IE10 provides secure browsing

• WP8 connection security is based on HTTP/SSL and certificates

Let’s continue the discussion online


Join the Nokia Expert Centre Community to discuss about Nokia products and business solutions

All registered users can post and share their experiences

Documents

Nokia Lumia Windows Phone 8 Security.pdf